Miggo Logo
Miggo Vulnerability Database
CVE-2019-14544

CVE-2019-14544: Insecure Permissions in Gogs

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-14544
GHSA ID
GHSA-5r2v-6gm6-vpvh
EPSS Score
0.5321%
CWE
CWE-200
Published
5/18/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gogs.io/gogsgo< 0.11.910.11.91

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using site-wide admin checks (reqAdmin) instead of repository-specific admin checks (reqRepoAdmin) for sensitive repository operations. The commit c3af3ff shows replacements of reqAdmin() with reqRepoAdmin() in three critical route groups: 1) /hooks endpoints, 2) /collaborators endpoints, and 3) /keys (deploy keys) endpoints. These routes required repository admin permissions but were previously guarded by global admin checks, allowing unauthorized access to repository management functions through the API.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

rout*s/*pi/v*/*pi.*o in *o*s *.**.** l**ks p*rmission ****ks *or rout*s: **ploy k*ys, *oll**or*tors, *n* *ooks.

Reasoning

T** vuln*r**ility st*ms *rom usin* sit*-wi** **min ****ks (r*q**min) inst*** o* r*pository-sp**i*i* **min ****ks (r*qR*po**min) *or s*nsitiv* r*pository op*r*tions. T** *ommit `*******` s*ows r*pl***m*nts o* `r*q**min()` wit* `r*qR*po**min()` in t*r*